Accountants can play a crucial role in strengthening corporate defences against cybercrime, says Irfan Hemani, Deputy Director of UK Cyber Security Policy at DSIT. At ICAEW’s Annual Cyber Lecture, Hemani told members that, as a trained accountant, he recognised the influence that finance professionals have as trusted advisers to boards and senior executives, “and their ability to change the dial on protecting UK businesses”. While cyber threats are often treated as operational matters, he stressed, they are increasingly collapsing organisations’ capacity to operate. “This should elevate cyber from being an operational risk to being a financial and strategic one,” he said.

Hostile activity

Held on Monday, 6 October at Chartered Accountants’ Hall, the lecture focused on ransomware and the evolution of cyber threats. Members were warned that the threat landscape has already become industrialised and is likely to grow more professional over time.

In his opening talk, Cub Llewelyn-Davies – Head of Strategic Resilience Interventions at the National Cyber Security Centre (NCSC) – pointed out that cybercrime in the UK is no longer an emerging threat, but fully present within our economy.

“High-profile cyber attacks we’ve seen this year have given us pause,” he said. “Not because they’re unique – but precisely because they are not. Cyber is no longer just a technical issue. It’s a matter of economic security, investor confidence and, increasingly, national resilience. In the last year, the NCSC has managed over 200 cyber incidents, including twice as many that reach a threshold of national significance as the year before. That’s startling.”

In Llewelyn-Davies’s assessment, the threat landscape is diversifying at speed. Hostile activity in UK cyberspace is rising in frequency, sophistication and intensity. What was once opportunistic crime is now strategic, targeted, and often state-backed – with China, Russia and North Korea leading the charge. Plus, attackers are achieving wider impacts.

“The recent attack on Jaguar Land Rover (JLR) wasn’t just a disruption to one company,” Llewelyn-Davies said. “JLR sits at the top of a vast pyramid of suppliers. When its systems went down, the ripple effects were really severe to a lot of companies in the supply chain.”

However, he noted: “The organisations that handle these incidents best are the ones that have rehearsed them.”

Board-level concern

With that in mind, Hemani outlined three steps organisations must take to strengthen their defences.

“Step One is to make cyber risk a board-level priority,” he said. “The Cyber Governance Code of Practice released by the UK Government earlier this year helps companies do just that. Effective governance of cyber risk is fundamental to business resilience. Executive and non-executive directors must take ownership.”

While not all attacks can be stopped, Hemani said, a critical part of good governance is rehearsing major incident response. In the worst case, you may have to operate without your full IT infrastructure for weeks or months. DSIT urges businesses to drill how to continue operations and rebuild following a destructive incident. “Cyber risk having the attention of audit committees and boards is critical for an organisation’s ability to reduce the impact of an attack,” Hemani said.

Step Two involves businesses and their clients signing up for NCSC’s Early Warning system. “This free service informs you of potential cyber attacks on your network,” Hemani noted, “giving you invaluable time to detect and stop an incident before it escalates.”

Step Three is to follow Cyber Essentials (CE) throughout your entire supply chain. “Only 14% of businesses assess cyber risks posed by their immediate suppliers,” Hemani said. “CE is a highly effective, government-backed scheme that certifies organisations to have foundational protections in place to prevent common attacks. It’s the minimum cyber security standard that businesses should seek to obtain – and organisations with CE are 92% less likely to make a claim on their cyber insurance.”

Monitoring vendors

In the closing panel chaired by ICAEW Head of Tech Policy Esther Mallowah, Hemani and Llewelyn-Davies were joined by cyber resilience expert Radhika Modha, Director, Security Governance, Risk and Compliance at Alvarez & Marsal.

Asked about managing supply-chain cyber risks, Modha highlighted three measures. “First, understand how security links into your entire business environment,” she said. “Think about how you are connected to your suppliers more broadly – not just on the IT side. Do you understand the processes? Are you working closely with vendors to make sure those processes are updated? Do you have regular touch points to ask what they’re seeing from a risk perspective?”

Second, Modha urged members to build a clear picture of how their control environment supports supply-chain activities in ways that reflect how their business operates, not just through a checklist.

“Third, continuously monitor your vendor ecosystem,” she said. “Security is an ongoing exercise – and a vendor’s security posture may not remain as it was at the start of the relationship. So, how are you monitoring that? How are you identifying any lapses in how that vendor is working, and what that might mean for your organisation?”

Asked about the current state of cyber disclosures in corporate reporting, Llewelyn-Davies noted that materials that have come to NCSC’s attention leave much to be desired. “We’re increasingly finding that the quality and consistency of cyber risk disclosures is insufficient,” he said. “They are typically very short and boilerplate. They don’t give investors enough information to have confidence that, ultimately, a clear and present risk to the economy and – by extension – individual organisations is being effectively managed.”

As such, he added, NCSC requests that organisations disclose their risk assessment processes, security investments and cyber policy governance, including the board's involvement.